[wasm-gc] Fix array.new_with_rtt within loop

Since array.new_with_rtt implicitly introduces a loop, we should mark any loop including this instruction as non-innermost. Bug: chromium:1236958 Change-Id: I2d92b5fdba748df0e4ac1d6cbc524428b1042578 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3080574 Commit-Queue: Manos Koukoutos <manoskouk@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#76178}

[wasm-gc] Fix array.new_with_rtt within loop
Since array.new_with_rtt implicitly introduces a loop, we should mark any loop including this instruction as non-innermost. Bug: chromium:1236958 Change-Id: I2d92b5fdba748df0e4ac1d6cbc524428b1042578 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3080574 Commit-Queue: Manos Koukoutos <manoskouk@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#76178}
16d9a1eb · Manos Koukoutos · V8 LUCI CQ · 1c0cca0f · 16d9a1eb · 16d9a1eb
Commit 16d9a1eb authored Aug 09, 2021 by Manos Koukoutos Committed by V8 LUCI CQ Aug 09, 2021
Showing with 29 additions and 0 deletions

wasm-compiler.cc src/compiler/wasm-compiler.cc +3 -0

graph-builder-interface.cc src/wasm/graph-builder-interface.cc +3 -0

regress-1236958.js test/mjsunit/regress/wasm/regress-1236958.js +23 -0

No files found.
--- a/src/compiler/wasm-compiler.cc
+++ b/src/compiler/wasm-compiler.cc
@@ -5618,6 +5618,9 @@ Node* WasmGraphBuilder::ArrayNewWithRtt(uint32_t array_index,
      gasm_->CallBuiltin(stub, Operator::kEliminatable, rtt, length,
                         Int32Constant(element_type.element_size_bytes()));
  if (initial_value != nullptr) {
+    // TODO(manoskouk): If the loop is ever removed here, we have to update
+    // ArrayNewWithRtt() in graph-builder-interface.cc to not mark the current
+    // loop as non-innermost.
    auto loop = gasm_->MakeLoopLabel(MachineRepresentation::kWord32);
    auto done = gasm_->MakeLabel();
    Node* start_offset =

--- a/src/wasm/graph-builder-interface.cc
+++ b/src/wasm/graph-builder-interface.cc
@@ -948,6 +948,9 @@ class WasmGraphBuildingInterface {
    result->node = builder_->ArrayNewWithRtt(imm.index, imm.array_type,
                                             length.node, initial_value.node,
                                             rtt.node, decoder->position());
+    // array.new_with_rtt introduces a loop. Therefore, we have to mark the
+    // immediately nesting loop (if any) as non-innermost.
+    if (!loop_infos_.empty()) loop_infos_.back().is_innermost = false;
  }

  void ArrayNewDefault(FullDecoder* decoder,

--- a/test/mjsunit/regress/wasm/regress-1236958.js
+++ b/test/mjsunit/regress/wasm/regress-1236958.js
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --experimental-wasm-gc
+
+d8.file.execute('test/mjsunit/wasm/wasm-module-builder.js');
+
+var builder = new WasmModuleBuilder();
+
+let array = builder.addArray(kWasmI64, true);
+
+builder.addFunction('test', kSig_v_v)
+    .addBody([kExprLoop, kWasmVoid,
+                kExprI64Const, 15,
+                kExprI32Const, 12,
+                kGCPrefix, kExprRttCanon, array,
+                kGCPrefix, kExprArrayNewWithRtt, array,
+                kExprDrop,
+              kExprEnd])
+    .exportFunc();
+
+builder.instantiate();